Netwatch 2


Subject: Netwatch 2
From: Adam Elkins (i-robot@gci.net)
Date: Sun Feb 09 2003 - 00:01:49 AKST


Ok, it just happened again. Now that it's there, I can better describe it

New mail for root@net_slack has arrived:

----
From: Mail Delivery Subsystem
Subject: Returned mail: see transcript for details
This is a MIME-encapsulated message

--1h9KGxT09600.1044821819/net_slack..

(at the bottom of the screen; 'NetBus from 192.168.1.42 ' which is my main box) When I check the mail, it says:

******************************************************* WARNING MESSAGE from Netwatch 0.9g at Sun Feb 9

Netbus from 192.168.1.42 to 24.237.63.142 with len=40 45 0 0 28 ED 18 0 0 7D 6 36 6A 18 [I don't feel like typing the rest *******************************************************

The table is 4 lines long, but you get the idea. I did a bit more research, and found that Netwatch watches for NetBus/BackOrifice packets. The funny thing is, it's says it's comming from my other slack box. Just out of courisity, I checked the log for Apache on my other box. The ip in the mail was there (24.237.63.142) doing all types of these things: "GET /scripts/root.exe?/c+dir HTTP/1.1" 404 293 There are 9 or so of these, all "GETing different things, including this which seems very odd: "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNN%u909 [i don't feel like typing the rest]

I really don't know what all this means. Can some one could exlplain what going on here?

--------- To unsubscribe, send email to <aklug-request@aklug.org> with 'unsubscribe' in the message body.



This archive was generated by hypermail 2a23 : Sat Feb 08 2003 - 23:59:07 AKST